20802 matches found
Relative Path Traversal
Overview pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Relative Path Traversal via the editpackage function when processing the packfolder parameter. An attacker can overwrite arbitrary files on the system by...
Directory Traversal
Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Directory Traversal via the PagesRouter static file. An attacker can read arbitrary files outside the intended directory by...
CVE-2026-30848
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.8 and 9.5.0-alpha.8, the PagesRouter static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outside the configured...
CVE-2026-30848 Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.8 and 9.5.0-alpha.8, the PagesRouter static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outside the configured...
CVE-2026-30848
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.8 and 9.5.0-alpha.8, the PagesRouter static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outside the configured...
CVE-2026-30848 Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.8 and 9.5.0-alpha.8, the PagesRouter static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outside the configured...
CVE-2026-30848
Parse Server’s PagesRouter is vulnerable to a path traversal issue prior to versions 8.6.8 and 9.5.0-alpha.8. The boundary check uses a string prefix comparison without enforcing a directory separator boundary, enabling unauthenticated access to files outside the configured pagesPath by traversal...
CVE-2026-30848 Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.8 and 9.5.0-alpha.8, the PagesRouter static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outside the configured...
PYSEC-2026-121
pyLoad is a free and open-source download manager written in Python. From version 0.5.0b3.dev13 to 0.5.0b3.dev96, the editpackage function implements insufficient sanitization for the packfolder parameter. The current protection relies on a single-pass string replacement of "../", which can be...
CVE-2026-29778
pyLoad is a free and open-source download manager written in Python. From version 0.5.0b3.dev13 to 0.5.0b3.dev96, the editpackage function implements insufficient sanitization for the packfolder parameter. The current protection relies on a single-pass string replacement of "../", which can be...
PYSEC-2026-121
pyLoad is a free and open-source download manager written in Python. From version 0.5.0b3.dev13 to 0.5.0b3.dev96, the editpackage function implements insufficient sanitization for the packfolder parameter. The current protection relies on a single-pass string replacement of "../", which can be...
CVE-2026-29778 pyLoad: Arbitrary File Write via Path Traversal in edit_package()
pyLoad is a free and open-source download manager written in Python. From version 0.5.0b3.dev13 to 0.5.0b3.dev96, the editpackage function implements insufficient sanitization for the packfolder parameter. The current protection relies on a single-pass string replacement of "../", which can be...
CVE-2026-29778 pyLoad: Arbitrary File Write via Path Traversal in edit_package()
pyLoad is a free and open-source download manager written in Python. From version 0.5.0b3.dev13 to 0.5.0b3.dev96, the editpackage function implements insufficient sanitization for the packfolder parameter. The current protection relies on a single-pass string replacement of "../", which can be...
CVE-2026-29778
pyLoad is a free and open-source download manager written in Python. From version 0.5.0b3.dev13 to 0.5.0b3.dev96, the editpackage function implements insufficient sanitization for the packfolder parameter. The current protection relies on a single-pass string replacement of "../", which can be...
CVE-2026-29778 pyLoad: Arbitrary File Write via Path Traversal in edit_package()
pyLoad is a free and open-source download manager written in Python. From version 0.5.0b3.dev13 to 0.5.0b3.dev96, the editpackage function implements insufficient sanitization for the packfolder parameter. The current protection relies on a single-pass string replacement of "../", which can be...
CVE-2026-29778
pyLoad: Arbitrary File Write via Path Traversal in edit_package() is confirmed. Affected range: 0.5.0b3.dev13–0.5.0b3.dev96; fix patched in 0.5.0b3.dev97. The issue stems from insufficient sanitization of pack_folder, relying on a single-pass "../" replacement, which can be bypassed by crafted re...
CVE-2026-29185
Backstage is an open framework for building developer portals. Prior to version 1.20.1, a vulnerability in the SCM URL parsing used by Backstage integrations allowed path traversal sequences in encoded form to be included in file paths. When these URLs were processed by integration functions that...
CVE-2026-29185 @backstage/integration: Potential reading of SCM URLs using built in token
Backstage is an open framework for building developer portals. Prior to version 1.20.1, a vulnerability in the SCM URL parsing used by Backstage integrations allowed path traversal sequences in encoded form to be included in file paths. When these URLs were processed by integration functions that...
CVE-2026-29185 @backstage/integration: Potential reading of SCM URLs using built in token
Backstage is an open framework for building developer portals. Prior to version 1.20.1, a vulnerability in the SCM URL parsing used by Backstage integrations allowed path traversal sequences in encoded form to be included in file paths. When these URLs were processed by integration functions that...
CVE-2026-29185
Backstage's CVE-2026-29185 affects the SCM URL parsing logic in the Backstage integration component. Before version 1.20.1, encoded path traversal sequences could be included in SCM URLs and, when processed by integration functions that construct API URLs, cause traversal segments to redirect req...